Yes, but the keyword is resolve to multiple return IP addresses. I don't think your setup is doing that. If it is, then I am wrong and there is a bug.<span></span><br><br>On Monday, January 7, 2013, Matt Wise wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>That's really odd because the man page states that you can use multiple connect statements.</div>
<div>
<br></div><div><dt><strong style="background-color:rgba(255,255,255,0)"><strong>connect</strong> = address</strong></dt><dd><p><span style="background-color:rgba(255,255,255,0)">connect to a remote address</span></p><p><span style="background-color:rgba(255,255,255,0)">If no host is specified, the host defaults to localhost.</span></p>
<p><span style="background-color:rgba(255,255,255,0)">Multiple <strong>connect</strong> options are allowed in a single service section.</span></p><p><span style="background-color:rgba(255,255,255,0)">If host resolves to multiple addresses and/or if multiple <em>connect</em> options are specified, then the remote address is chosen using a round-robin algorithm.</span></p>
<p><br></p></dd><div>However, I do think we're seeing the behavior you mentioned...</div><br><span>Sent from my iPad</span></div><div><br>On Jan 7, 2013, at 10:21 AM, Brian Wilkins <<a href="javascript:_e({}, 'cvml', 'bwilkins@gmail.com');" target="_blank">bwilkins@gmail.com</a>> wrote:<br>
<br></div><blockquote type="cite"><div><p>I am pretty sure stunnel uses the final connect string as the connect host. Round robin only works if dns returns multiple addresses. There was a user patch a while ago that provided a different way.</p>
<div class="gmail_quote">On Jan 7, 2013 12:39 PM, "Matt Wise" <<a href="javascript:_e({}, 'cvml', 'matt@nextdoor.com');" target="_blank">matt@nextdoor.com</a>> wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I've got dozens of clients connecting with Stunnel to a group of 5 servers. Each system has a config that looks like this:<br>
<br>
> cert = /etc/stunnel/zookeeper.pem<br>
> key = /etc/stunnel/zookeeper.key<br>
> CAfile = /etc/stunnel/zookeeper_ca.pem<br>
> verify = 2<br>
> delay = yes<br>
> sslVersion = TLSv1<br>
> client = yes<br>
> setuid = stunnel4<br>
> setgid = stunnel4<br>
> pid = /var/lib/stunnel4/zookeeper.stunnel4.pid<br>
> socket = l:TCP_NODELAY=1<br>
> socket = r:TCP_NODELAY=1<br>
> TIMEOUTconnect = 2<br>
> session = 86400<br>
> debug = 5<br>
> [zookeeper]<br>
> accept = <a href="http://127.0.0.1:2182" target="_blank">127.0.0.1:2182</a><br>
> failover = rr<br>
> connect = prod-zookeeper:2182<br>
> connect = prod-zookeeper-1:2182<br>
> connect = prod-zookeeper-2:2182<br>
> connect = prod-zookeeper-3:2182<br>
> connect = prod-zookeeper-4:2182<br>
> connect = prod-zookeeper-5:2182<br>
<br>
<br>
Essentially the first host is a load balancer, and the next 5 are the actual zookeeper hosts so that we can bypass the ELB if its giving us fits. Now what we're seeing is that almost every connection ends up on prod-zookeeper-5. Over and over and over again, our hosts pick the same system each time. We're running Stunnel 4.52:<br>
<br>
> Clients allowed=8000<br>
> stunnel 4.52 on i486-pc-linux-gnu platform<br>
> Compiled/running with OpenSSL 0.9.8k 25 Mar 2009<br>
> Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6<br>
<br>
<br>
Any ideas what might be wrong here? Obviously we want the connections to be *roughly* random across the list of hosts... and if one of the hosts goes down, and the connection fails, we want the stunnel service to try again, and randomly pick a new host. It doesn't really seem to be doing that though.<br>
<br>
--Matt<br>
<br>
_______________________________________________<br>
stunnel-users mailing list<br>
<a href="javascript:_e({}, 'cvml', 'stunnel-users@stunnel.org');" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
</blockquote></div>
</div></blockquote></div>
</blockquote>